Omar Kurt

**Name of the Vulnerable Software and Affected Versions** FreshRSS version 1.11.1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in GET requests. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `c` parameter or `a` parameter. **Recommendations** For FreshRSS version 1.11.1, consider restricting access to the vulnerable parameters `c` and `a` in GET requests until a patch is available. As a temporary workaround, avoid using the `c` and `a` parameters in affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** concrete5 versions prior to 5.7.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters, including `banned word[]` to "/index.php/dashboard/system/conversations/bannedwords/success", `channel` to "/index.php/dashboard/reports/logs/view", `accessType` to "/index.php/tools/required/permissions/access entity", `msCountry` to "/index.php/dashboard/system/multilingual/setup/load icon", `arHandle` to "/index.php/ccm/system/dialogs/area/design/submit" or "/index.php/ccm/system/dialogs/area/design", `pageURL` to "/index.php/dashboard/pages/single", `SEARCH INDEX AREA METHOD` to "/index.php/dashboard/system/seo/searchindex/updated", `unit` to "/index.php/dashboard/system/optimization/jobs/job scheduled", `register notification email` to "/index.php/dashboard/system/registration/open/1", or `PATH INFO` to "/index.php/dashboard/extend/connect/". **Recommendations** For concrete5 versions prior to 5.7.4, update to version 5.7.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Banner Effect Header plugin versions prior to 1.2.8 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `banner effect divid` parameter in the BannerEffectOptions page to "wp-admin/options-general.php". **Recommendations** For versions prior to 1.2.8, update to version 1.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the BannerEffectOptions page until the update is applied. Avoid using the `banner effect divid` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Blubrry PowerPress Podcasting plugin versions prior to 6.0.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `cat` parameter in a "powerpress-editcategoryfeed" action in the "powerpressadmin categoryfeeds.php" page to "wp-admin/admin.php". This is a cross-site scripting (XSS) issue. **Recommendations** For versions prior to 6.0.1, update to version 6.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "powerpressadmin categoryfeeds.php" page and avoiding the use of the `cat` parameter in the "powerpress-editcategoryfeed" action until the update is applied.

**Name of the Vulnerable Software and Affected Versions** MiniBB versions prior to 3.0.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `forum name`, `forum group`, `forum icon`, or `forum desc` parameters in the bb admin.php file. **Recommendations** For versions prior to 3.0.1, update to version 3.0.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the bb admin.php file to minimize the risk of exploitation. Avoid using the parameters `forum name`, `forum group`, `forum icon`, or `forum desc` in the affected file until the issue is resolved.